Prepare Yourself for the Coming Changes in Privacy Laws: What to Expect in 2023

It is 2023 already, but there are still significant changes in data protection legislation worldwide. And that means changes in the requirements for businesses that operate online and internationally.

Most of the changes likely to happen in the next year will occur in North America. California’s state legislature in the United States received two updates, one of which was aimed solely at children. Four other US state laws similar to the one in California take effect throughout 2023, but the US still lacks a federal privacy law.

The majority of Quebec's new privacy laws will go into effect in September 2023. Simultaneously, Canada intends to modernize PIPEDA on a federal level.

There were fewer changes in the rest of the world. We will look at the most important ones in this article. If you operate on a global scale, you must be aware of potential changes and adjust your practices accordingly to avoid fines. 

Some of the changes mentioned in this article concern laws that have been enacted and will take effect very soon this year. Others are scheduled to be enacted later this year, but you should be aware of them. 

We will begin with the United States and Canada before moving on to the few existing and anticipated changes in the rest of the world.

California’s Consumer Privacy Rights Act (CPRA)

By enacting the California Consumer Privacy Act (CCPA) in 2020, California became the first US state to pass privacy legislation. Californians were dissatisfied with that law, so the Consumer Privacy Rights Act was passed on 1 January 2023, to improve it. 

The CPRA complements rather than competes with the CCPA. The following are the most notable CPRA requirements: 

• Providing consumers with a privacy notice
• Honoring CPRA consumer requests
• Allowing consumers to opt out of the sale of personal information
• Allowing consumers to limit the processing of sensitive personal information
• Implementing the data minimization and purpose limitation principles
• Ensuring that your service providers comply with the law
• Establishing a data retention period

Penalties are the same as under the CCPA: up to $7,500 per violation, with no upper limit. The CPRA, unlike the CCPA, does not allow for a cure period for violations. 

To enforce the law, the newly formed California Privacy Protection Agency and the California Attorney General have been given authority.

Read our in-depth article on the CPRA requirements your business needs to meet.

California Age-Appropriate Design Code Act (CAADCA)

The California Age-Appropriate Design Code Act was passed in 2022 and comes into effect in 2024, but you need to prepare for it this year.

It applies to all products and services that children are likely to use, which include:

• Those geared toward children, such as video games
• Those that have been accessed by a significant number of children, which can be assessed by evidence
• Those that include elements that are commonly associated with children's interests, such as games and cartoons
• Those that have features that are essentially similar to features routinely accessed by children

If this describes your products or services, you must: 

• Conduct children’s privacy protection impact assessments
• Tailor the products to the users’ age
• Provide privacy by default
• Provide a clear privacy policy
• Provide clear terms and conditions
• Provide the child with a signal that it is being tracked or monitored by a parent or guardian, if applicable
• Honor privacy requests
  

Virginia Consumer Data Protection Act (VCDPA)

Virginia became the second state in the United States to enact a data privacy law. It is similar to California's CCPA and CPRA, as well as the privacy laws of the other three US states. 

VCDPA applies to businesses registered in Virginia or that target Virginia residents and:

• Controls or processes the personal data of at least 100,000 Virginia residents or,
• Controls or processes the personal data of at least 25,000 Virginia consumers and derives over 50% of its gross revenue from the sale of personal data in a calendar year.

If your business meets these criteria, the VCDPA has the following requirements for you: 

• Provide consumers with a privacy notice
• Honor consumer requests
• Allow consumers to opt out of the sale of personal information
• Ensure that you have data processing agreements in place with your data processors
• Conduct a Privacy Impact Assessment if required

Noncompliance can result in fines of up to $7,500 per violation, with no upper limit. 

More information on the Virginia Consumer Data Protection Act can be found here. 

Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) takes effect on 1 July 2023. It makes Colorado the third state in the United States to enact and enforce a consumer data privacy law. 

The CPA applies to data controllers who are based in Colorado or who sell goods or provide services to people who live in Colorado and who, during a calendar year, either:

• 100,000 consumers or more during the year,
• 25,000 consumers or more, and derive revenue from the sale of personal data (including by receiving a discount on the price of goods or services).

There are no revenue thresholds, which means that the CPA will likely apply to many businesses' operations.

These businesses need to be aware of the following critical CPA requirements:

• Provide consumers with a privacy notice
• Provide consumers with mechanisms to opt out of the sale of personal information, targeted advertising, and profiling
• Honor consumer requests
• Conduct a data protection impact assessment where there is a risk to consumers

The fine is $20,000 per violation, which is higher than in other states. Businesses will initially have a cure period to correct the violation. However, that provision will expire in 2025. 

Read our in-depth article on the CPA for more information. 

Utah Consumer Privacy Act (UCPA)

You have to comply with the new Utah consumer privacy law if your business:

• Conducts business in the state of Utah or produces a product or service that is targeted to consumers who are residents of the state, and
• Has annual revenue of $25,000,000 or more, and
• Satisfies one or more of the following thresholds:
  - During a calendar year, controls or processes personal data of 100,000 or more Utah residents,
  - Derives over 50% of the entity’s gross revenue from the sale of personal data and
  - Controls or processes the personal data of 25,000 or more consumers.

If you meet these requirements and the UCPA applies to your business, you must plan to comply from the end of this year to the end of 2023. 

Businesses that must align with the UCPA must prepare for the following:

• Provide consumers with a privacy notice
• Have processing agreements in place
• Honor consumer requests
• Provide consumers with mechanisms to opt out of the sale of personal information or from targeted advertising

Among the few similar laws in the United States, the UCPA is the least stringent. Nonetheless, it punishes violations in the same manner as others. The penalty for each violation is up to $7,500. 

More information about the Utah UCPA can be found here. 

Connecticut Data Protection Act (CTDPA)

The Connecticut Data Protection Act takes effect on 1 July 2023, but some of its provisions will not be applicable until 2024 or 2025. 

Its applicability requirements are very similar to those of other state privacy laws in the United States. It has an impact on your business if you operate in Connecticut or target Connecticut residents and meet at least one of the following criteria: 

• 100,000 or more consumers, excluding personal data, controlled or processed solely for completing a payment transaction, or
• 25,000 or more consumers and derived more than 25% of their gross revenue from selling personal data.

These requirements are slightly stricter than other laws and will affect more businesses. It does not, however, apply to all online businesses. 

If it applies to you, here’s what you need to consider:

• Provide consumers with a privacy notice
• Implement purpose limitation and data minimization principles
• Allow consumers to opt out of the processing of sensitive personal information
• Conduct data protection assessments where the processing may pose a risk

We have an in-depth article on CTDPA requirements for your business.

American Data Privacy and Protection Act (ADPPA)

The American Data Privacy and Protection Act (ADPPA) has yet to be passed. It is still uncertain whether it will be published in 2023. 

The federal government of the United States still needs to pass a comprehensive data protection law. The ADPPA aims to change that by bringing federal legislation in line with global data privacy trends. 

The draft text is based on the opt-out principle, but it imposes numerous obligations that state laws do not. If the law is passed, it will apply to all businesses. 

Read our article on US ADPPA here to get a better understanding of what your business may be required to do if this law is passed anytime soon.

EU’s ePrivacy Regulation

The long-awaited ePrivacy Regulation (ePR) could be implemented in 2023. However, we are still unsure whether it will be passed. 

The decision-making process in the European Union is complex and time-consuming. According to the most recent information from Brussels, the current text of the ePR is final and will be passed in the near future. 

Some of the changes will include easier ways to agree to and delete cookies, as well as clearer rules about when consent is required. 

If you want to learn more, check out our article on the most recent updates to the EU's ePrivacy Regulation. 

EU-US Data Flow Agreement

The Schremms II decision made it more difficult to use US data processors as EU data controllers. That will all change in 2023. 

The European Commission released the Transatlantic Privacy Framework, a draft adequacy decision for safe data flows with the US, in December 2022. 

The US legislation continues to be an issue for secure data transfers. Nonetheless, the US counterparts will now guarantee judicial protection if the US government accesses the data of an EU data subject. 

NOYB's Max Schremms stated that they would address the adequacy decision. We don't know if they'll be able to successfully block data flows between the US and the EU again. Until then, however, businesses will freely transfer personal data without fear of being penalized for using US software. 

UK Data Protection and Digital Information Bill

The UK currently has two data protection laws in place: the UK DPA and the UK GDPR. Furthermore, the Privacy and Electronic Communications Regulations (PECR) governs how businesses can collect and process personal data. 

Now that the UK is no longer a member of the EU, they want to enact a data protection law that is tailored to their needs. It is still very similar to the GDPR, but there are some differences. 

Most notably, if passed in the current text, it will:

• Simplify and clarify the rules around legitimate interests
• Simplify and clarify the rules around responding to data subject requests
• Relax the requirements around records of data processing
• Simplify international data transfers
• Remove the requirements to obtain consent for statistical cookies
• Increase fines for nuisance calls

The bill is still being debated in the UK Parliament. Should it be passed, it would be one of the most significant occurrences in data privacy in 2023.

More information on the UK Data Protection and Digital Information Bill can be found here.

Canada’s New Federal Law

Although Canada's PIPEDA is a comprehensive data protection law, the Canadian government wishes to strengthen privacy rights even further. 

The proposed Bill C-27 would repeal PIPEDA. 

Its draft includes the following items: 

• Increased penalties for non-compliance
• Enhanced data subject rights
• Transparency around automated decision-making
• Adding legitimate interests as a legal basis for processing data
• Requirements for express consent for minors’ data

The Canadian legislature is still debating Bill C-27. 

More information on Bill C-27 can be found here. 

Quebec

The most recent data protection law in Quebec was passed some time ago, but its provisions have only recently been implemented. The majority of them will go into effect in September 2023.

The requirements you need to be aware of include the following:

• Establish and implement policies and practices for data collection and processing
• Increase transparency through the privacy policy
• Inform users about automated processing, if any
• Conduct privacy impact assessments
• Conduct privacy impact assessment for cross-border data transfers
• Establish and implement a data retention policy
• Obtain consent for data processing
• Honor users’ requests to exercise the de-indexation rights
• Establish and implement privacy-by-design

If you're familiar with the GDPR, you'll notice that the Quebec law goes beyond the PIPEDA and has more in common with the GDPR requirements. 

We have a good overview of all the requirements and timelines here.

British Columbia

We wrote a blog post about how the British Columbia provincial government wants to update its data protection law, but it hasn’t been passed yet. There needs to be more information if it could happen in 2023. 

Check out our article on BC law to learn more about the upcoming changes and how they might affect you. 

Saudi Arabia

The first-ever comprehensive and sector-agnostic data protection law in Saudi Arabia was set to take effect in 2022, but it has now been delayed until 17 March 2023. 

It applies to businesses based in Saudi Arabia that process personal data of Saudi citizens. 

Here are some guidelines to follow if you believe your business falls into this category: 

• Obtain explicit consent for personal data processing
• Obtain approval from authorities for data transfers outside of the Kingdom of Saudi Arabia
• Register as a data controller with authorities and pay an annual fee
• Register your data processing activities with the authorities
• Conduct impact assessments to assess the privacy risks to individuals
• Honor data subject requests to exercise rights
• Notify authorities of all data breaches

Penalties for violations include a year in prison and a monetary fine of up to one million Saudi Riyals ($250,000). 

Oman Personal Data Protection Law

Effective from 13 February 2023, the Oman Personal Data Protection Law (PDPL) shares many similarities with the EU's General Data Protection Regulation (GDPR) as well as recent laws enacted in Middle Eastern countries such as Bahrain, UAE, Saudi Arabia, and Qatar. The PDPL endows data subjects with an extensive array of rights, encompassing the right to access, correct, delete, transfer, and withdraw consent. The law imposes stringent duties on controllers and processors that manage personal data, such as:

• Obtaining explicit consent for marketing and advertising purposes,
• Implementing data security measures,
• Obtaining approval from authorities to process sensitive personal data, 
• Carrying out privacy impact assessments of processing activities, and,
• Appointing a Data Protection Officer if required, among others.

Criminal penalties under the PDPL range from RO500 to RO500.000 ($1.3M), while administrative fines amount to RO2.000 ($5,200).

Argentina

Argentina is one of the few countries in the world to benefit from the European Commission's GDPR adequacy decision. It means that the country provides adequate data protection rights to data subjects. Nonetheless, the government decided to modernize the law in order to keep up with recent technological advancements. 

The law is expected to be passed in 2023. It went through public consultations in 2022 before being presented to the National Assembly. 

The following are the most notable requirements it will impose: 

• A legal basis is required for data processing
• Honoring data subject requests
• Special protection of children’s data
• Aligning the international data transfer provisions with the GDPR
• Grants new data subject rights
• Requires appointing of DPO for some organizations.

Although it is expected to be passed in 2023, the one-year grace period means that no enforcement actions will be taken until 2024. In the meantime, you can prepare for compliance. 

India

India is expected to pass the Digital Personal Data Protection Bill in 2023. The draft text is still being debated, and public consultations are taking place. Still, things are finally getting better, and India will soon have a modern data privacy law.

Indian citizens will be granted data privacy rights, including the ability to access and delete their data. To process the data, the data controller will require a legal basis. 

Consent must be freely given, specific, informed, and unambiguous. The concept of "deemed consent" is also promoted by the law. If the data subject has voluntarily provided the data controller with their personal data for a specific purpose, they are considered to have consented to the data processing. 

It is unclear when it will go into effect. 

Update: Discover the India Digital Personal Data Protection Act – India's first comprehensive data protection law and understand the differences between the GDPR and DPDPA.

Indonesia

The Indonesian Personal Data Protection Law (PDPL) was passed by the national legislative body on October 17, 2022. It will take effect on October 17, 2024, after a two-year transition period. However, you can begin preparing for compliance with its provisions in 2023, as they are stricter than ever.

The PDPL is very similar to the GDPR in the EU. It establishes clear data processing standards, grants data subjects' rights, and imposes penalties on noncompliant entities. 

From the more critical requirements, you need to prepare to:

• Obtain explicit and specific consent for data processing
• Provide users with a privacy notice
• Respond to data subject requests
• Conduct data protection impact assessments in some cases
• Notify data subjects and authorities about any data breaches
• Comply with the overseas data transfer standards
• Appoint a DPO in some cases

Penalties for failing to comply with the PDPL are limited to between 4 and 6 billion Indonesian rupiahs, or $250,000 to $390,000. Some offenses may result in a prison sentence of 4-6 years. 

Vietnam Data Protection Law

A new data protection law is anticipated to be approved by the Vietnamese government in 2023. Although the draft of the law has not yet been made public, its contents have been deliberated in legislative assemblies. Currently, only the legal justifications for processing personal data without explicit consent are known, namely: 

• Public interest
• A person's vital interests
• Contract execution, and
• Compliance with legal obligations.

As soon as the draft law is released, we will revise this article and keep you informed of any requirements.

Final Thoughts

While the rest of the world was enacting new data protection laws, little happened on a federal or state level in the United States. Some states are now attempting to catch up with laws that are far more lax than any other law in force outside the United States. 

Except for the United States, the GDPR is about to become the global standard for data protection. All other recent legislation-passing countries, such as Saudi Arabia and Indonesia, have laws similar to those of the EU. Argentina and India are also about to pass similar legislation. 

Nonetheless, there are still differences in data protection laws between countries. To ensure that your company complies with all applicable laws, stay informed and use compliance solutions such as Secure Privacy.